Please help me, I'm a bit stressed with this leak I just discovered. I might have made a mistake in my config...

Click to expand...

No need to be stressed, what the user can see there is the same that he sees when he downloads the ispconfig tar.gz file, so there is no sensitive data there and not data that is specific to your installation.

The reason for the filelisting is that Indexes is on in the ispconfig vhost, this has been changed already in svm some time ago and will get changed in the next patch release. But as I explained above, thats uncritical.

If you want to change it on your server, edit the ispconfig vhost file and add change the Option line to:

I know its already stated that there's no sensitive data in the folders exhibiting this but for sake of completion would it be better to have an emtpy index.php file in these folders so not relying on switching off Indexes?

I see valid index.php with code in remote, tools, help, admin, login, mailuser and designer folders but as per OP not in client, dashboard, dns, js, monitor, mail, sites, strengthmeter, temp, themes and vm

I didn't go any further folders down the structure, but I did copy a blank index.php into each of the ones above anyhow. To me, it tidies it up?

The index.php files in some modules mean that this module has a start page which is not a list page, so adding empty files would just confuse the schema. I'am not a fan of adding unescessary files btw. . The current situation is not as it should be and fixed in svn already. But it does not really harm on the other hand as all files are written in a way that direct access without logging in first can not be misused and which files are available in a folder can everybody see by downloading the ispconfig tar.gz, so even if the -Indexes would fail on a server, its uncritical.